Britain's data protection watchdog said on Friday it has fined IAG's British Airways 20 million pounds ($25.85 million) - its biggest such penalty to date - for failing to protect personal and financial details of more than 400,000 of its customers.

"Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result," the Information Commissioner's Office (ICO) said of a cyber attack the airline suffered in 2018.

IAG shares slid to session lows following the announcement. By 0917 GMT, they were 3% lower at 93.2 pence.

The regulator said it considered representations from BA and the economic impact of the coronavirus crisis on their business before setting a final penalty, which was considerably less than the 183.4 million pounds proposed last year.

The ICO said its investigators found BA should have identified weaknesses in its security and resolved them with measures available at the time, which would have prevented the cyber attack.

British Airways did not immediately respond to a Reuters request for comment.

 

($1 = 0.7736 pounds)

(Reporting by Muvija M in Bengaluru; Editing by Krishna Chandra Eluri) ((Muvija.M@thomsonreuters.com; within UK: +44 20 7542 1810, outside UK: +91 80 61822698; Twitter: https://twitter.com/muvija_m;))